Home page logo

webappsec logo WebApp Sec mailing list archives

Re: SSL 2.0 enabled or disabled?
From: Ralf Durkee <rd () rd1 net>
Date: Wed, 19 May 2004 20:55:17 -0400

At 05:22 PM 5/19/2004 -0400, Blane Perry wrote:
Does anyone know of a tool that can scan a web server to determine which
version of SSL is being used?  nmap?  nessus?

Nessus will report the SSL versions.

-- Ralf Durkee, CISSP, GSEC, GCIH
Principal Consultant

>>> Ralf Durkee <rd () rd1 net> 05/19/04 05:51AM >>>
At 07:13 PM 5/18/2004 -0700, Ooper Starr wrote:
>>Given all the vulnerabilities with SSL 2.0, do most people disable
SSL 2.0
>>on their servers or are there concerns of potential loss of consumers
>>may only have clients that support 2.0 who use the application?  IE's

>>defaults are SSL 2.0 & 3.0 enabled and TLS 1.0 disabled.  Any good
>>about this topic?

>As you suggest SSLv2 should be disabled as it is vulnerable. It can be

>disabled without concern for loss of customers. I have been requiring
>recommending (depending on my role) disabling SSLv2 for several years,
>least since late 2000, as all of the browsers support sslv3 or better.
>always found it curious that IE disables TLSv3 by default, I suspect
the MS
>decision maker just didn't know what TLS was. Most of the servers I
>reviewed or audited for the first time, do not disable SSLv2 at least
>after the first review.  I also recommend disabling SSLv2 on the
>browser and enabling SSLv3 and TLSv1. I have only found 2 web servers
>2000 that didn't support SSLv3 or TLSv1.  Although when IE encounters
>server that doesn't support it's required versions, it will just sit
>and "spin" when it can't complete the handshake, there's no error

-- Ralf Durkee, CISSP, GSEC, GCIH
Principal Consultant

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]